================ @@ -1273,6 +1273,41 @@ Check for memory leaks, double free, and use-after-free problems. Traces memory .. literalinclude:: checkers/unix_malloc_example.c :language: c +If the ``alpha.security.taint.TaintPropagation`` checker is enabled, the checker +warns for cases when the ``size`` parameter of the ``malloc`` , ``calloc``, +``realloc``, ``alloca`` is tainted (potentially attacker controlled). If an +attacker can inject a large value as the size parameter, memory exhaustion +denial of service attack can be carried out. + +The analyzer emits warning only if it cannot prove that the size parameter is +within reasonable bounds (``<= SIZE_MAX/4``). This functionality partially +covers the SEI Cert coding standard rule `INT04-C +<https://wiki.sei.cmu.edu/confluence/display/c/INT04-C.+Enforce+limits+on+integer+values+originating+from+tainted+sources>`_. + +You can silence this warning either by bound checking the ``size`` parameter, or +by explicitly marking the ``size`` parameter as sanitized. See the +:ref:`alpha-security-taint-TaintPropagation` checker for more details. + +.. code-block:: c + + void t1(void) { + size_t size; + scanf("%zu", &size); + int *p = malloc(size); // warn: malloc is called with a tainted (potentially attacker controlled) value + free(p); + } + + void t3(void) { + size_t size; + scanf("%zu", &size); + if (1024<size) ---------------- steakhal wrote:
```suggestion size_t size = 0; scanf("%zu", &size); if (1024 < size) ``` Format code; initialize `size` to have a defined value even if `scanf` fails. https://github.com/llvm/llvm-project/pull/92420 _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits